In just a few weeks, on May 25, 2018, the EU’s new data protection law goes live. The General Data Protection Regulation, commonly known as the GDPR, is the biggest change to European data protection law in over 20 years and will seriously impact businesses across the U.S. and around the world.
Time is running out for proactive compliance activity.
In this article, we briefly highlight some of the most far-reaching changes and burdensome requirements.
- Worldwide Application
The first thing for non-EU businesses to consider is whether they are subject to the GDPR; this new law may apply even if you don’t have a legal or physical presence in the EU.
Now you will have to comply if you offer goods or services to individuals in the EU or monitor their behavior on the Internet. A recent international report found that more than 70% of non-EU respondents said the GDPR would apply to their organizations.
Over recent months, Locke Lord has advised numerous U.S. and internationally-headquartered clients on whether the GDPR applies to their businesses.
2. Fines and Other Sanctions
The maximum fine for breaching the GDPR is up to 40 times larger than under the previous law and even more for big business – EU data authorities have been given the power to levy fines up to €20 million or 4% of the annual worldwide gross revenue of the whole group, whichever is greater.
That said, fines must be proportionate and are discretionary and applied on a case-by-case basis.
However, fines are only part of the story. In cases of breach, adversely affected individuals can claim compensation and the company may suffer negative publicity which can have a severe financial impact and in extreme cases, destroy a business.
3. Enhanced Rights of Data Subjects
Individuals have a right to obtain copies of all their personal data you are processing, generally within 30 days. They also have the right to have it ported to another provider or to object to its processing on certain grounds. They may also be able to require its erasure – the “right to be forgotten.”
4. Reporting Data Breaches
There is a legal obligation to report a personal data breach to the authorities without undue delay – generally within 72 hours. This includes instances of hacking or where you have lost personal data you were holding, wherever there is a risk to individuals.
In serious cases, all individuals potentially affected by the data breach must also be notified, unless the data accessed is properly protected, e.g., by encryption.
5. Information Notices
You must provide individuals with extensive information about how you will process their data – in a transparent, intelligible and easily accessible way, using clear language.
Higher Standard for Consent
The GDPR has raised the bar if you rely on “consent” for processing personal data. Separate consents are now required for different processing activities. Pre-ticked boxes and blanket consents are not valid and individuals must be able to easily withdraw consent at any time.
For children under 13, and potentially up to 15, consent from a parent is required.
6. Processors Now Liable
Under the previous law, where a business processed personal data strictly on someone else’s instructions, it was a data “processor” rather than a data “controller” and not directly subject to EU data protection law. This is no longer the case. Data processors have many of the same obligations as data controllers and both are jointly liable for breaches in which they are involved.
7. Data Protection Officers – “DPOs”
Public authorities and organizations whose core activities require regular and systematic monitoring of data subjects on a large scale, or which process special categories of data on a large scale, must appoint a DPO. Other organizations which process significant personal data are recommended to make such an appointment.
The DPO must carry out a variety of data protection advisory, monitoring and other functions. DPOs must be suitably skilled and experienced, properly resourced and report to the highest levels of management without receiving any instructions and without conflict of interest.
A recent international study found that in Europe alone, 28,000 DPOs will need to be appointed by May 25, 2018.
8. Privacy Impact Assessments
If you are engaged in “high” risk processing – processing that presents a risk of infringing a person’s rights and freedoms, such as large scale processing of sensitive data or monitoring and profiling individual activities – you must carry out a Privacy Impact Assessment or “PIA.” This is a thorough exercise and organizations are likely to require guidance on how to undertake it.
Organizations must have appropriate security measures in place to protect personal data. In particular, this requires technical cybersecurity, such as ISO 27001 certification, but also includes organizational policies and staff training. More detail on this requirement can be found in our article,”Cybersecurity – The Victim Becomes the Law Breaker.”